Share this story

The hackers who breached the defenses of Google and at least 34 other big companies three years ago have unleashed a barrage of new attacks since then, many that exploit previously undocumented vulnerabilities in software from Microsoft and Adobe, a new report has found.

The number of victims affected, the duration of the campaign, and the difficulty of identifying and exploiting so-called zero-day vulnerabilities mean the resources required "could only be provided by a large criminal organization, attackers supported by a nation state, or a nation state itself," the report (PDF), which was prepared by researchers from antivirus provider Symantec, concluded. Targets over the last three years have mainly been located in the defense, energy, and finance industries and educational and non-governmental organizations.

Most significant about the group is "seemingly an unlimited number of zero-day exploits," which refer to vulnerabilities in widely used software that are exploited before there's public knowledge that they exist. Using an infrastructure Symantec researchers have dubbed Elderwood—a name derived from a variable found in some of its software—the hackers have exploited four zero-day bugs this year alone, and evidence suggests the group has wielded another four zero-days over the past two years. The use of so many previously undocumented vulnerabilities indicates the group has an extremely high level of technical capability.

"In order to discover these vulnerabilities, a large undertaking would be required by the attackers to thoroughly reverse-engineer the compiled applications," the researchers wrote. "This effort would be substantially reduced if they had access to source code. The vulnerabilities are used as needed, often within close succession of each other if exposure of any of the vulnerabilities is imminent."

Update: Some security experts were skeptical of Symantec's conclusions. Finding and exploiting previously unknown vulnerabilities is a regular undertaking during penetration testing that's often carried out to success in a matter of hours or days.

"The fact that they use 0days isn't as big a deal as Symantec makes it out to be," said Rob Graham, CEO of penetration testing firm Errata Security. "We constantly find '0days' as part of pentests and use them against our customers. Just the other day, we used a 0day SQL injection bug in [popular manufacturer's name deleted] firewall to break into a customer."

There's no reason to think the attacks tracked by Symantec couldn't have been carried out by a much smaller operation with more modest resources, Graham said.

The group's attacks date back at least to early 2010 or late 2009, when it exploited a zero-day vulnerability in Microsoft's Internet Explorer browser to pierce the defenses of Google and other large companies. With their malware inside Google's network, the attackers siphoned source code and other intellectual property of the company. Few if any of the other victims confirmed they were hit, but researchers widely believe their digital assets were also appropriated en masse.

The trojan that was installed by the exploits was alternately known as Aurora and Hydraq. It used a certain type of obfuscation to cloak its malicious behavior. Symantec researchers have found that same obfuscation technique deployed in trojans that malware operators installed by exploiting zero-days discovered earlier this year in Adobe's Flash Player (cataloged as CVE-2012-0779) and Internet Explorer (CVE-2012-1875).

The researchers found additional attributes linking other exploits to the same actors, such as similarities in the command and control channels that infected computers contacted to receive instructions and software updates. Another link was the practice of compromising third-party websites that were frequently visited by the ultimate targets of the attacks, for example, manufacturers in the defense supply chain or the Hong Kong branch of Amnesty International that was regularly visited by non-governmental organizations.

Researchers have dubbed this approach "watering hole" attacks, and say they're "similar to a predator waiting at a watering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him."

The researchers noticed that many of these watering hole attacks used more than one zero-day exploit. What's more, the timing of these changes was suspicious. As soon as one zero-day exploit was identified, it would be replaced by one that had yet to be discovered. Other similarities included the malicious executable files used and the encryption in booby-trapped documents sent to victims in e-mail.

Perhaps the biggest link is the Elderwood platform. It included a document creation kit that made it easy to bundle specific exploit code and a specific piece of malware and embed it into an otherwise clean document file. Elderwood also included a shared Adobe Flash file that created the precise conditions in a targeted computer's memory required for an exploit to be successful. Other possible components may be tools for the automated creation of website accounts and registration of domain names, and an analysis platform for the huge amounts of data that is pilfered.

APTs: Not your father's hack attack

Google's disclosure in 2010 that it and more than a dozen other sensitive companies were penetrated by the sophisticated attackers cemented the security industry's use of the phrase advanced persistent threat. Although many, this reporter included, once viewed it as a largely meaningless buzz phrase, APTs are useful in distinguishing these types of attacks from more common crime-motivated exploits. The chief difference is this: crime-based attacks, which use malware to obtain online banking passwords or credit card data, are opportunistic, so they're directed at everyone. Defending against them mainly involves having security that's better than other people on the Internet.

APTs, by contrast, are directed at a specific person or organization that has unique assets. If attackers don't succeed against a specific target with one campaign, they'll direct a new campaign at the same target and hope for better results. They will repeat the process until they succeed. That makes defending against such attacks significantly harder.

Friday's report from Symantec, which showed that the same attackers who pierced the defenses of Google three years ago are using a virtually unlimited supply of zero-days to penetrate new victims, only bolsters the view that APTs are a serious problem with no easy solutions.

Enough with the hyperbole in the headlines. We get plenty of that from the crap US media who forgot how to be objective and straight-talking journalists a couple decades ago.

Hint: an attack (of any kind) is not "lethal" unless someone dies. No one has died in any hacking attacks I'm aware of, with the possible exception of Iranian nuclear scientists hanging around exploding centrifuges.

Lethal

[lee-thuhl] adjective

1. of, pertaining to, or causing death; deadly; fatal: a lethal weapon; a lethal dose.2. made to cause death: a lethal chamber; a lethal attack.3. causing great harm or destruction: The disclosures were lethal to his candidacy.

And no, it wasn't 3 either (lethal to Google). Not even close.

how do you know it didn't cause great harm? i would say forcing google to swtich from windows to linux/OSX was pretty impressive.

This is exactly the reason why no company should use close-source software. I'm sure most of those "undocumented" zero-day exploits in Adobe and Microsoft software were documented in their internal bug reports just like all of the previous zero-day exploits in Java by Oracle.

I wonder when they're going to learn their lesson and stop using proprietary software.

Yes, open source software has no bugs, flaws, or security holes in any of it. If there were, they would be found instantly, and also instantly be fixed so this kind of thing can never, ever happen in open source software.

How many of the critical security holes and zero-day exploits in proprietary software for the last year were left untreated for months or years until someone used them?

>Because critical security issues are never distributed for 18 months in open source projects;>http://www.debian.org/security/2008/dsa-1571

What a great justificiation. I hope you use that one at work (well, Johnny surfs the net all day at work, so why shouldn't I?) - because you'd end up being sacked from your job in about 5 seconds.

And that's the editor's pick of comments?

Seems like a perfect retort to me. Rex86 is over there talking about how superior open source and how you would never have these kinds of problems and he comes with proof that security exploits can exist in ANY FORM OF SOFTWARE. He's not posting the link to point over to Debian to say; "See, he's doing it too! That means it's OK for me!" He's posting it to say, that no matter what form of software development you choose - proprietary or open source - you can still end up with massive, long-term exploits. Don't get your panties in such a twist.

It's your website but I'd prefer editor comment picks actually had something insightful about the content not defense or offense taken from the headline wording. It really takes away from the main topic.

I was reading the RSS feed and clicked through to complain about the word "lethal", only to find the title was already changed on the site, and a flame war was aleady boiling over that very topic! Despite fixing the misleading title, the editor still chose to favorite only of the comments which support the usage of that word.

Two things:

1. "Lethal" literally means death in the US. We sometimes use it in hyperbole, as in "he has a lethal 3 pointer" or "those comments proved lethal for his campaign, but we must be clear that is an intentional exaggeration for effect. And even in those cases, the term "lethal" implies a metahorical death, I.e. one good player killing the other team's chances of winning, or a poorly phrased comment ending a politician's campaign.

Furthermore, using hyperbole is typically reserved for editorializing and for fiction, whereas objective journalism should use clear and concise words. Ars usually has very careful, intelligent writing, and when I saw the word "lethal" in the title, I assumed that it was meant literally. People are free to write what they want, but I like Ars because they tend to be precise, rational, and objective,,, hyperbole is neither precise nor objective.

If the New York Times ran a headline that said, "Pfizer's New Drug Proves Lethal," and then the story was about a safe drug that was a commercial flop, their readers would rightly object to the sensationalist headline, even though you can find some definition of the word "lethal" that would fit that headline.

2. As somebody who works in cyber security, my single biggest gripe day in and day out is the sensationalism and fear that media, government, and vendors drum up to drive their own agendas. In order to improve our cyber security posture, we need to understand what the threats actually are and not worry about threats that aren't there. The persistent attacks against Google, the sophistication of those attacks, and the implications for state-sponsored cyber terrorism are already alarming enough. Ars does not need to artificially inject more emotion into their coverage...

A headline should always stand on its own, and that one, as previously written didn't. Ultimately, use of the word lethal was ambiguous, since it certainly raised the possibility of death in the mind of the reader. That was the thinking behind the decision to change the word to potent, which is more accurate and OMFG sounding anyway.

68 Reader Comments

I didn't realize Ars was full of so many pedants. I guess people shouldn't say "that slays me" if it doesn't kill them.

I've found there's a very literal-minded readership here, or at least commentership.

I think most of y'all are pretty smart but some of y'all can get totally hung up on tiny details/minor disagreements and miss the point. Forest, trees, yadda yadda.

I will throw my hat into the ring and say I agree that the 0day rate is not particularly extraordinary for a talented group with resources. Also, we (the researcher group I run with on twitter) are not sure who coined the term "watering hole" attacks as none of us have heard of it before this. I guess this is Symantec's pet term for the concept?

I was reading the RSS feed and clicked through to complain about the word "lethal", only to find the title was already changed on the site, and a flame war was aleady boiling over that very topic! Despite fixing the misleading title, the editor still chose to favorite only of the comments which support the usage of that word.

Two things:

1. "Lethal" literally means death in the US. We sometimes use it in hyperbole, as in "he has a lethal 3 pointer" or "those comments proved lethal for his campaign, but we must be clear that is an intentional exaggeration for effect. And even in those cases, the term "lethal" implies a metahorical death, I.e. one good player killing the other team's chances of winning, or a poorly phrased comment ending a politician's campaign.

Furthermore, using hyperbole is typically reserved for editorializing and for fiction, whereas objective journalism should use clear and concise words. Ars usually has very careful, intelligent writing, and when I saw the word "lethal" in the title, I assumed that it was meant literally. People are free to write what they want, but I like Ars because they tend to be precise, rational, and objective,,, hyperbole is neither precise nor objective.

If the New York Times ran a headline that said, "Pfizer's New Drug Proves Lethal," and then the story was about a safe drug that was a commercial flop, their readers would rightly object to the sensationalist headline, even though you can find some definition of the word "lethal" that would fit that headline.

2. As somebody who works in cyber security, my single biggest gripe day in and day out is the sensationalism and fear that media, government, and vendors drum up to drive their own agendas. In order to improve our cyber security posture, we need to understand what the threats actually are and not worry about threats that aren't there. The persistent attacks against Google, the sophistication of those attacks, and the implications for state-sponsored cyber terrorism are already alarming enough. Ars does not need to artificially inject more emotion into their coverage...

A headline should always stand on its own, and that one, as previously written didn't. Ultimately, use of the word lethal was ambiguous, since it certainly raised the possibility of death in the mind of the reader. That was the thinking behind the decision to change the word to potent, which is more accurate and OMFG sounding anyway.

I find use of the "watering hole" methodology to be the most interesting part of the story. It seems like someone decided that meatspace intelligence gathering activities is just as fruitful in cyberspace. Which makes sense in a way. If these attacks are sponsored by a nation-state they have an interest in surveilling a target over an extended period of time. So, instead of going after the target directly, go after other actors who can then, un-intentionally, facilitate the attack on the intended target (and probably provide some useful information along the way for a social engineering attack as well). Think of all the Cold War cloak-and-dagger espionage efforts that went on where some low-level functionary in an organization was targeted so as to gain access to the real target. Quite ingenious. And scary for the future of cyberspace.

For example, could an organization go after the Ars Technica, Slashdot, or StackOverflow sites to get some highly knowledgeable techies to un-wittingly "bring home" a compromised device to their place of work? Possibly. Hack one of these sites with a Zero-Day exploit: The site visitors or forum participants take their laptop to work the next day, connect it to the company network, and the intelligence-gathering payload is now within the walls of the corporation without the malefactor ever having to attack directly the target. Like I said, ingenious.

Google at the time of the move out of mainland China, the defense industry, Amnesty HK. Using several zero day attacks in a chain. Not looking to make money. Related to GhostNet attacks on the Dalai Lama... Little wonder everyone thinks it must be the Chinese government hack squad -- we know they must have one after all.

"Stewart of Dell SecureWorks said... the Elderwood gang likely is part of one of the two main attack groups based in China, with this one centered in Beijing and another based around Shanghai."

Even if it was a talented team of William Gibson characters, if they were private they would be trying to make money.

Google at the time of the move out of mainland China, the defense industry, Amnesty HK. Using several zero day attacks in a chain. Not looking to make money. Related to GhostNet attacks on the Dalai Lama... Little wonder everyone thinks it must be the Chinese government hack squad -- we know they must have one after all.

"Stewart of Dell SecureWorks said... the Elderwood gang likely is part of one of the two main attack groups based in China, with this one centered in Beijing and another based around Shanghai."

Even if it was a talented team of William Gibson characters, if they were private they would be trying to make money.

I was reading the RSS feed and clicked through to complain about the word "lethal", only to find the title was already changed on the site, and a flame war was aleady boiling over that very topic! Despite fixing the misleading title, the editor still chose to favorite only of the comments which support the usage of that word.

Two things:

1. "Lethal" literally means death in the US. We sometimes use it in hyperbole, as in "he has a lethal 3 pointer" or "those comments proved lethal for his campaign, but we must be clear that is an intentional exaggeration for effect. And even in those cases, the term "lethal" implies a metahorical death, I.e. one good player killing the other team's chances of winning, or a poorly phrased comment ending a politician's campaign.

Furthermore, using hyperbole is typically reserved for editorializing and for fiction, whereas objective journalism should use clear and concise words. Ars usually has very careful, intelligent writing, and when I saw the word "lethal" in the title, I assumed that it was meant literally. People are free to write what they want, but I like Ars because they tend to be precise, rational, and objective,,, hyperbole is neither precise nor objective.

If the New York Times ran a headline that said, "Pfizer's New Drug Proves Lethal," and then the story was about a safe drug that was a commercial flop, their readers would rightly object to the sensationalist headline, even though you can find some definition of the word "lethal" that would fit that headline.

2. As somebody who works in cyber security, my single biggest gripe day in and day out is the sensationalism and fear that media, government, and vendors drum up to drive their own agendas. In order to improve our cyber security posture, we need to understand what the threats actually are and not worry about threats that aren't there. The persistent attacks against Google, the sophistication of those attacks, and the implications for state-sponsored cyber terrorism are already alarming enough. Ars does not need to artificially inject more emotion into their coverage...

A headline should always stand on its own, and that one, as previously written didn't. Ultimately, use of the word lethal was ambiguous, since it certainly raised the possibility of death in the mind of the reader. That was the thinking behind the decision to change the word to potent, which is more accurate and OMFG sounding anyway.

Thanks to all who so patiently and rationally expressed their views.

Yay - good call. The proper use of words is important. If someone was willing to use a word incorrectly then why wouldn't they use a quote incorrectly, or how can you trust them to fact check properly. Sloppy wording is like sloppy dressing. It shows that the person doing it doesn't take pride in their work or care about its quality.

Good job in doing the right thing to correct this. It shows a lot of integrity and dedication to your craft.

god. i just came from a real life event where i laughed (inwardly) at a young man because he couldn't decipher the true meaning of a saying because he was so stuck on the literal.

It was incorrect even in a figurative sense. Businesses can make "lethal business decisions", but only if the result of the decision is that the business ceases to exist. If I fall and break my leg, it wasn't a lethal fall, in a literal figurative, or any other sense.

For an attack to be lethal something needs to die/end, whether it be the business, a product, a career, etc...If it ended some senior bureaucract's career then maybe you could call it lethal.

Not to beat a dead horse here but George Orwell wrote an essay called "Politics and The English Language" where he argued that when writers no longer take care in their use of language it affects the way we think and renders us unable to have meaningful political discource.

Words matter, without clear and concise communication our minds become muddled and, he argues, it will lead to the decline of our civilization.

Ars Technica is the only media source I am aware of that takes the quality of their writing seriously.

Is it just me or are we seeing more and more claims that "based on the resources/technical ability/information necessary to carry out such exploits/attacks, this could only have been done if sponsored by a state or by a large criminal organisation." And most of the time, these claims seem like gross exaggeration.

Is it just me or are we seeing more and more claims that "based on the resources/technical ability/information necessary to carry out such exploits/attacks, this could only have been done if sponsored by a state or by a large criminal organisation." And most of the time, these claims seem like gross exaggeration.

I agree. There are criminal organizations out there that are larger than many "nation-states". The targeting does give an implication of some intent though and in combination with the resource argument it starts to have some weight.

For example if some kind of attack signature is associated with attacks against organizations that don't represent a lot of monetary value, or if the attacks result in looting of data that doesn't directly translate to monetary gain then that could be an argument against organized crime. Although you never know what other motives organized crime might have: control over government officials, etc..

Another point is that in many parts of the world there is not really a clear distinction between the Government and organized crime. According to Misha Glenny's books this is especially true in China. Maybe a bureaucrat facilitates a human trafficking business in exchange for intelligence about foreign companies that are competing with that bureaucrat's nationalized utility company?

It's articles like these that make me want to replace my personal desktop at home with OpenBSD and a browser with javascrpt, java and all plugins disabled...but the net would be much less fun surfing that way

Businesses can make "lethal business decisions", but only if the result of the decision is that the business ceases to exist.

If the decision kills the project or new storefront or whatever, then it's lethal. In this case, the security measures were "killed". It fits fine.

If you use that as your definition then every successful attack would be a lethal attack, how do you differentiate between a lethal and non-lethal attack? Every time someone gets owned by a Java exploit their computer's security measures were "killed".

The problem then becomes that the word lethal becomes synonymous with the word successful or the word critical, meaning the word lethal no longer has any meaning.

Sort of like how the word "liberate" changed to mean "invade and occupy" and is now largely meaningless or the butt of a joke. This has even happened to the word democracy. I recently saw a bumper sticker that says "Be nice to America or we will bring Democracy to your country". So now democracy is synonymous with "destruction". The creative misuse of words allows us to use, with a semi-clean conscious, torture, indefinite imprisonment without trial, and extra-judicial assassination. Dramatic, but true.

Is it just me or are we seeing more and more claims that "based on the resources/technical ability/information necessary to carry out such exploits/attacks, this could only have been done if sponsored by a state or by a large criminal organisation." And most of the time, these claims seem like gross exaggeration.

Sort of like how the word "liberate" changed to mean "invade and occupy" and is now largely meaningless or the butt of a joke. This has even happened to the word democracy. I recently saw a bumper sticker that says "Be nice to America or we will bring Democracy to your country". So now democracy is synonymous with "destruction". The creative misuse of words allows us to use, with a semi-clean conscious, torture, indefinite imprisonment without trial, and extra-judicial assassination. Dramatic, but true.

Overuse of 'Editor's Picks' is creating an 'elite thread above the comments thread' all approved or disapproved by one individual. Visually it is difficult to distinguish the 'redacted' comments thread from the real comments thread. Pick one or two Editor's Picks. More than that is an abuse of power that creates a caste system and threatens to supplant the comment thread with a doppelganger thread that contains only a controlled message.

I still get a kick at how computer science so closely resembles biology. Something is created. It gets exploited. A library of antibodies gets created. It gets exploited again. The lines between biology and technology blur every day, since they use a lot of the same concepts.

Sort of like how the word "liberate" changed to mean "invade and occupy" and is now largely meaningless or the butt of a joke. This has even happened to the word democracy. I recently saw a bumper sticker that says "Be nice to America or we will bring Democracy to your country". So now democracy is synonymous with "destruction". The creative misuse of words allows us to use, with a semi-clean conscious, torture, indefinite imprisonment without trial, and extra-judicial assassination. Dramatic, but true.

In other words, languages are living, evolving things? You don't say!

They can be, but like other living things they can also die.

Google define: word

1.A single distinct meaningful element of speech or writing, used with others (or sometimes alone) to form a sentence and typically shown with a space on either side when written or printed

Once the meaning of a word loses its meaning it ceases to be a word and dies. Meaning can change and that's fine. But if it loses all meaning, as in this case, then it doesn't even meet the criteria of being a word.

Kobe Bryant threw a lethal free-throw! I ate a lethal breakfast! I took a lethal step out of bed today! That was a lethal breeze that messed up my hair today! That was a totally lethal papercut!

At that point I think the construct becomes more a piece of punctuation than a word.

For a security professional, it would be incredibly useful to know whether these successful campaigns of zero-day exploits are getting behind firewalls by direct front-door attacks on servers, drive-by web malware attacks against browsers, or by email attachment. If a combination, what is the proportions?

Victims of hacking attacks are, in my humble opinion, far too silent. Probably they are either:1) Self deafeating by being so secretive about the details of the methods of the exploits. or 2) Caught unprepared by having insufficient backdoor detection and logging to know the root cause.

Enough with the hyperbole in the headlines. We get plenty of that from the crap US media who forgot how to be objective and straight-talking journalists a couple decades ago.

Hint: an attack (of any kind) is not "lethal" unless someone dies. No one has died in any hacking attacks I'm aware of, with the possible exception of Iranian nuclear scientists hanging around exploding centrifuges.

Lethal

[lee-thuhl] adjective

1. of, pertaining to, or causing death; deadly; fatal: a lethal weapon; a lethal dose.2. made to cause death: a lethal chamber; a lethal attack.3. causing great harm or destruction: The disclosures were lethal to his candidacy.

And no, it wasn't 3 either (lethal to Google). Not even close.

how do you know it didn't cause great harm? i would say forcing google to swtich from windows to linux/OSX was pretty impressive.

I was reading the RSS feed and clicked through to complain about the word "lethal", only to find the title was already changed on the site, and a flame war was aleady boiling over that very topic! Despite fixing the misleading title, the editor still chose to favorite only of the comments which support the usage of that word.

Two things:

1. "Lethal" literally means death in the US. We sometimes use it in hyperbole, as in "he has a lethal 3 pointer" or "those comments proved lethal for his campaign, but we must be clear that is an intentional exaggeration for effect. And even in those cases, the term "lethal" implies a metahorical death, I.e. one good player killing the other team's chances of winning, or a poorly phrased comment ending a politician's campaign.

Furthermore, using hyperbole is typically reserved for editorializing and for fiction, whereas objective journalism should use clear and concise words. Ars usually has very careful, intelligent writing, and when I saw the word "lethal" in the title, I assumed that it was meant literally. People are free to write what they want, but I like Ars because they tend to be precise, rational, and objective,,, hyperbole is neither precise nor objective.

If the New York Times ran a headline that said, "Pfizer's New Drug Proves Lethal," and then the story was about a safe drug that was a commercial flop, their readers would rightly object to the sensationalist headline, even though you can find some definition of the word "lethal" that would fit that headline.

2. As somebody who works in cyber security, my single biggest gripe day in and day out is the sensationalism and fear that media, government, and vendors drum up to drive their own agendas. In order to improve our cyber security posture, we need to understand what the threats actually are and not worry about threats that aren't there. The persistent attacks against Google, the sophistication of those attacks, and the implications for state-sponsored cyber terrorism are already alarming enough. Ars does not need to artificially inject more emotion into their coverage...

If my memory serves me well, they were targeting among other things the accounts of dissidents, human rights activists, other social issues activists, and organizations serving the same...

Oh yeah, there were a bunch of military/defence contractors and the like, too.

Not that you don't have a fair point, but I wouldn't be quite so quick to dismiss the applicability of the word "lethal" to this case. Whether metaphorically or literally.